diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc
index 404dadd1e7a76..8136a19a6a396 100644
--- a/source/extensions/filters/common/rbac/engine_impl.cc
+++ b/source/extensions/filters/common/rbac/engine_impl.cc
@@ -8,11 +8,6 @@ namespace Filters {
 namespace Common {
 namespace RBAC {
 
-namespace {
-const Envoy::Http::HeaderMapImpl empty_header = Envoy::Http::HeaderMapImpl();
-const envoy::api::v2::core::Metadata empty_metadata = envoy::api::v2::core::Metadata();
-} // namespace
-
 RoleBasedAccessControlEngineImpl::RoleBasedAccessControlEngineImpl(
     const envoy::config::rbac::v2alpha::RBAC& rules)
     : allowed_if_matched_(rules.action() ==
@@ -45,7 +40,11 @@ bool RoleBasedAccessControlEngineImpl::allowed(const Network::Connection& connec
 }
 
 bool RoleBasedAccessControlEngineImpl::allowed(const Network::Connection& connection) const {
-  return allowed(connection, empty_header, empty_metadata, nullptr);
+  static const Http::HeaderMapImpl* empty_header = new Http::HeaderMapImpl();
+  static const envoy::api::v2::core::Metadata* empty_metadata =
+      new envoy::api::v2::core::Metadata();
+
+  return allowed(connection, *empty_header, *empty_metadata, nullptr);
 }
 
 } // namespace RBAC
diff --git a/test/fuzz/utility.h b/test/fuzz/utility.h
index b9229fd20ff18..4536ae49bb083 100644
--- a/test/fuzz/utility.h
+++ b/test/fuzz/utility.h
@@ -20,7 +20,7 @@ inline Http::TestHeaderMapImpl fromHeaders(const test::fuzz::Headers& headers) {
 }
 
 // Convert from HeaderMap to test proto Headers.
-inline test::fuzz::Headers toHeaders(const Http::HeaderMapImpl headers) {
+inline test::fuzz::Headers toHeaders(const Http::HeaderMap& headers) {
   test::fuzz::Headers fuzz_headers;
   headers.iterate(
       [](const Http::HeaderEntry& header, void* ctxt) -> Http::HeaderMap::Iterate {